Many of our readers are now pursuing the Cisco Security
Specialist 1 certificate, and still others are simply wondering how to
configure the mighty PIX Firewall. The PIX Firewall is without a doubt the
way to secure enterprise networks. Used in conjunction with the IOS
Firewall Feature Set (now known as Cisco Secure Integrated Software) running on
a Cisco router, Cisco's security solution is far superior to weak software
applications that run on Unix or NT. RouterGod Online Magazine reporter
John Riehl sought out beautiful Denise Richards to help us learn how to
configure the PIX Firewall. John is a Cisco instructor and holds the CCSP
and CISSP certificates. When not teaching Cisco, John likes to tell wild
stories about his days in the circus where he was known as the Polish Invisible Man.
When not being beautiful, Denise practices
kickboxing and enjoys watching American Chopper on TV. Let's join JR as he interviews
Denise about the PIX Firewall.
RFC 1918 Addresses are used to protect the innocent.

With her hair up, Denise now meets the
business casual dress code at
most workplaces.

JR

Well hello Denise, thanks for agreeing to
help us learn how to configure the PIX Firewall.

Denise

It's my
pleasure Yuriy, let's cut right to the chase and talk about the
PIX. The PIX is not a router, it can not participate in dynamic
routing protocols. The PIX in it's most basic form is simply a box
with 2 Ethernet interfaces. One interface is "inside"
and one interface is "outside". Traffic can not flow
from the outside interface to the inside interface unless you
specifically allow it. Traffic can not flow from the inside
interface to the outside interface unless you configure Network Address
Translation. Traffic initiated from the inside may return through
the outside interface.

JR

So the PIX is really just a
couple of NIC cards?

Denise

Not so fast Comrade! The PIX
uses the Adaptive Security Algorithm to perform Stateful Packet
Inspection on traffic leaving the Firewall. The PIX uses a real
time, embedded operating system to track the propriety of thousands of simultaneous
connections.

JR

Oh My God! This sounds too
complicated! Let's forget about it, maybe you should tell us how a
console cable works or maybe which end of a power cord plugs into the
wall...

Denise

Ha Ha! Don't be such a baby! The PIX
is easy! It uses a Command Line Interface, not one of those
complicated GUI's like Checkpoint! The PIX has 3 command modes:
User Mode, Privileged Mode and "Global" Config Mode.
There is no concept of Interface Config Mode and the cool thing is that
SHOW commands can be used at Global Config! By default the PIX
interfaces are shutdown. To do a "no shut" on the
outside interface you would use the following command: interface
ethernet0 auto. To give it an IP address you would use a
command like this: ip address outside 192.168.1.1 255.255.255.0

JR

Wow! You really know your PIX Firewalls!

Denise

What do you think, I'm just a hot babe? Now lets configure Network
Address Translation. It consists of 2 steps, defining the inside
users eligible for outbound connections and defining the pool of global
IP addresses to be translated into. If you wanted all your users
to use NAT the command would be: nat (inside) 1 0.0.0.0 0.0.0.0
The "1" in this command is the "NAT ID", it must
match the NAT ID in the global command, which I'll show you in a
minute. The fields 0.0.0.0 and 0.0.0.0 are IP Address and Netmask
respectively. The PIX will let you abbreviate a default field with
a single zero Here is an example:nat (inside) 1 0 0

The next step is to define the pool of global IP addresses.
Let's say that you have the range 192.168.1.2 through
192.168.1.6/24 The command would be:global (outside) 1 192.168.1.2-192.168.1.6 netmask 255.255.255.0

Don't forget that the IP address of the PIX's outside interface
cannot be in the pool of global addresses.

JR

So now the users on the inside can get out. In a small network,
how does the inside traffic that is destined for the outside world know
about the PIX?

Denise

If it's a small network, like one subnet and no internal router, just
configure all the workstations Default Gateway with the IP address of
the PIX's inside interface. If there is an internal router between
the PIX and your users, the workstations will naturally have the router
as the Default Gateway and the router will have a default static route
pointing to the PIX. If there are internal networks on the other
side of your internal router (from the PIX's perspective), you have to
tell the PIX about them.

JR

How do you do that? How does the PIX know where to forward
packets for those networks that are not directly connected?

Denise

It's easy, you do it with a static route statement. Say the PIX
is directly connected to the 10.1.1.0/24 network. The 10.1.2.0/24
network is on the other side of a router with an IP address of
10.1.1.3 You would add the following command:route inside 10.1.2.0 255.255.255.0 10.1.1.3

OK, I see how inside traffic
makes it to the PIX, but how does the PIX know what to do with the
outbound traffic?

Denise

You would
configure a static default route, say the next hop router is at
192.168.1.254, the command would be:route outside 0.0.0.0 0.0.0.0 192.168.1.254

JR

What
if I have a web server inside at 10.1.1.7 but it is known globally with
the legal address of 192.168.3.22?

Denise

You
would use a "static" to allow this translation from the
outside to the inside, here's how:static (inside, outside) 192.168.3.22 10.1.1.7 Just writing
the static is not enough though, you have to expressly grant permission
for traffic to flow inward, you do it with a "conduit".
A conduit is like an extended access-list except the source and
destination fields are reversed. Here's the conduit that
corresponds with the above static:conduit permit tcp host 192.168.3.22 eq 80 any Notice that
conduits use the Global address and not the local (inside) address from
the static command.